[332] in athena10
Re: Caching DNS for Athena 10
daemon@ATHENA.MIT.EDU (Kevin Chen)
Mon Jul 28 16:44:09 2008
Date: Mon, 28 Jul 2008 16:43:23 -0400 (EDT)
From: Kevin Chen <kchen@MIT.EDU>
To: ghudson@mit.edu
cc: athena10@mit.edu
In-Reply-To: <200807281952.m6SJq5Ms008332@outgoing.mit.edu>
Message-ID: <alpine.DEB.1.10.0807281629200.6462@vinegar-pot.mit.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
On Mon, 28 Jul 2008, ghudson@MIT.EDU wrote:
> 3. (Optional) Configure the caching resolver to listen only to 127.0.0.1
> 4. (Optional) Configure the caching named to forward to MIT name servers
> (3) is a simple configuration tweak to either package; the question is
> whether we want to do it. If the cache is accessible from the
> outside, it is perhaps easier to compromise since you can force the
> cache to perform a DNS query on demand; on the other hand, that's
> often not difficult to do through other means. Having the cache
> accessible from the outside does make it easier to scan for
> vulnerability.
It also protects you in case any vulnerabilities in BIND happen to
surface. If the only reason for listening externally is to scan for
vulnerabilities, you should have that information already by getting the
list of packages on the machine with athinfo, assuming that still exists
in Athena 10. Doing whatever DNS queries you want is also much easier
than getting a user to load a web page or something pointing to the
desired name.
Open recursion also allows random attackers to use your system to perform
denial of service attacks from the system.
Googling finds these documents, which might be useful:
http://www.ietf.org/internet-drafts/draft-ietf-dnsop-reflectors-are-evil-05.txt
http://www.afnic.fr/actu/nouvelles/general/NN20060404_en
http://www.isotf.org/news/DNS-Amplification-Attacks.pdf
http://www.us-cert.gov/reading_room/DNS-recursion033006.pdf
> (4) is an easy configuration tweak to dnsmasq, and a slightly harder
> one to bind9.
What's the benefit of doing so?
--
Kevin Chen
http://www.sneswhiz.com/
